Feds Issue New HIPAA Data Breach Rules

For health care providers, health plans and other entities -- including business associates of covered entities -- that do not encrypt their health IT data, new regulations require prompt notifications to consumers in the event of a data breach.

The U.S. Department of
Health and Human Services has issued new regulations requiring health
care providers, health plans and
other entities covered by HIPAA (Health Insurance Portability and
Accountability Act) to notify individuals when their health
information is breached. The breach notifications were part of the
American Recovery and Reinvestment Act of 2009 passed earlier this year
by Congress.
The
regulations require health care providers and other HIPAA-covered
entities to
promptly notify affected individuals of a breach. In cases involving
more than 500 individuals, covered entities are required to also notify
the HHS and the media. Breaches affecting fewer than 500 individuals
will be
reported to the HHS Secretary on an annual basis.

The new regulations also
require business associates of covered entities to notify the covered
entity of breaches at or by the business associate.
"This new
federal law ensures that covered entities and business associates are
accountable to the Department and to individuals for proper
safeguarding of the private information entrusted to their care," Robinsue Frohboese,
acting director and principal deputy director of the HHS Office of Civil Rights, said in a statement. "These
protections will be a cornerstone of maintaining consumer trust as we
move forward with meaningful use of electronic health records and
electronic exchange of health information."

Entities subject to the HHS and FTC
(Federal Trade Commission) regulations that secure health information
through encryption or destruction are not subject to the HHS breach
notifications.

In conjunction with the HHS regulations, the FTC also has issued
companion breach notification regulations that apply to vendors of
personal health records and certain others not covered by HIPAA.